---
sidebar_label: API Limits
sidebar_position: 23
description: Manage API limits configuration with the Hasura metadata API
keywords:
  - hasura
  - docs
  - metadata API
  - API reference
  - security options
  - API limits
  - Rate limits
  - limits
  - enterprise
  - ee
---

import ProductBadge from '@site/src/components/ProductBadge';

# Metadata API Reference: API Limits

<ProductBadge free pro ee self />

## Introduction

Here's the API to manage [API Limits](/security/api-limits.mdx) related metadata.

## set_api_limits {#metadata-set-api-limits}

You can configure api limits using the `set_api_limits` API.

```http
POST /v1/metadata HTTP/1.1
Content-Type: application/json
X-Hasura-Role: admin

{
    "type": "set_api_limits",
    "args": {
        "disabled": false,
        "depth_limit": {
            "global": 5,
            "per_role": {
                "myrole": 3
            }
        },
        "node_limit": {
            "global": 5,
            "per_role": {
                "myrole": 3
            }
        },
        "time_limit": {
            "global": 5,
            "per_role": {
                "myrole": 3
            }
        },
        "batch_limit": {
            "global": 5,
            "per_role": {
                "myrole": 3
            }
        },
        "rate_limit": {
            "global": {
                "unique_params": "IP",
                "max_reqs_per_min": 100
            },
            "per_role": {
                "myrole": {
                    "unique_params": ["x-hasura-id", "x-hasura-team-id"],
                    "max_reqs_per_min": 10
                }
            }
        }
    }
}
```

### Args syntax {#set-api-limits-syntax}

| Key         | Required | Schema                                                            | Description                                                                                          |
| ----------- | -------- | ----------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------- |
| disabled    | false    | boolean                                                           | Default value is false (Limits are enabled by default)                                               |
| depth_limit | false    | [APILimitOption](/api-reference/syntax-defs.mdx#apilimitoption)   | Restriction based on its depth, preventing deeply nested queries                                     |
| node_limit  | false    | [APILimitOption](/api-reference/syntax-defs.mdx#apilimitoption)   | Restriction based on the number of nodes in GraphQL operation response                               |
| time_limit  | false    | [APILimitOption](/api-reference/syntax-defs.mdx#apilimitoption)   | Restricts the time that a GraphQL operation is allowed to take. The duration is specified in seconds |
| batch_limit | false    | [APILimitOption](/api-reference/syntax-defs.mdx#apilimitoption)   | Restricts the number of GraphQL operations in a batched request                                      |
| rate_limit  | false    | [RateLimitOption](/api-reference/syntax-defs.mdx#ratelimitoption) | Restricts number of GraphQL operations per minute                                                    |

In the above metadata spec:

1.  The API Limits are enabled by default, i.e the default value of `disabled` is `false`
2.  When `disabled` is `false` and none of the API Limits are set then no API limits are applied.
3.  The `global` field in all the API Limits is mandatory, and is used as the default API limit if no `per_role` option
    is set for the user.
4.  The `per_role` can be used to override the `global` API Limit value
5.  For `rate_limit` if no `unique_params` are provided then, the requests will be rate-limited on the `role_name` i.e
    the `X-HASURA-ROLE` that is used to issue the request

:::info Note

The API will throw a warning if the configured `time_limit` is greater than the Cloud time limit. The Cloud time limit
will be used in such cases.

:::

## remove_api_limits {#metadata-remove-api-limits}

You can remove **all** the api limits that have been set using `remove_api_limit` API.

```http
POST /v1/metadata HTTP/1.1
Content-Type: application/json
X-Hasura-Role: admin

{
    "type": "remove_api_limits"
    "args": {}
}
```
